[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87frpegboy.fsf@oldenburg.str.redhat.com>
Date: Wed, 02 Oct 2024 10:18:21 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Indu Bhagat <indu.bhagat@...cle.com>, Josh Poimboeuf
<jpoimboe@...nel.org>, x86@...nel.org, Peter Zijlstra
<peterz@...radead.org>, Ingo Molnar <mingo@...nel.org>, Arnaldo Carvalho
de Melo <acme@...nel.org>, linux-kernel@...r.kernel.org, Mark Rutland
<mark.rutland@....com>, Alexander Shishkin
<alexander.shishkin@...ux.intel.com>, Jiri Olsa <jolsa@...nel.org>,
Namhyung Kim <namhyung@...nel.org>, Ian Rogers <irogers@...gle.com>,
Adrian Hunter <adrian.hunter@...el.com>,
linux-perf-users@...r.kernel.org, Mark Brown <broonie@...nel.org>,
linux-toolchains@...r.kernel.org, Jordan Rome <jordalgo@...a.com>, Sam
James <sam@...too.org>
Subject: Re: [PATCH v2 03/11] unwind: Introduce SFrame user space unwinding
* Steven Rostedt:
> On Tue, 1 Oct 2024 11:20:35 -0700
> Indu Bhagat <indu.bhagat@...cle.com> wrote:
>
>> > So we trust user space to have this table sorted?
>> >
>>
>> GNU ld will create this table sorted when linking .sframe sections and
>> will set SFRAME_F_FDE_SORTED in flags in the output .sframe section. In
>> the current patch, I see the __sframe_add_section () includes a check
>> for SFRAME_F_FDE_SORTED for admitting SFrame sections.
>>
>> So proceeding here with the assumption that the SFrame FDE list is
>> sorted should work fine.
>
> No not at all! We *cannot trust* user space. This could lead to a security
> hole if we assume it's sorted. The kernel must not trust anything it
> receives from user space. Because an attacker will be looking for ways to
> confuse the kernel to exploit it.
I don't quite understand, sorry.
Doing a binary search on an unordered table fails to find some entries
that could be discovered by a linear scan. But an attacker could just
as well use an incomplete table from the start. So assuming an ordered
table seems rather unlikely to introduce additional problems. (Given
the lack of a formal threat model, it's impossible to make more precise
claims in either direction.)
Thanks,
Florian
Powered by blists - more mailing lists